Security Experts Debate Whether Anti-phishing Training Worth the Cost
The debate over whether it’s pointless to train employees to recognize social engineering got louder after a Ponemon Institute survey suggests anti-phishing training saves money.Many network compromises start with phishing—a social engineering attack that arrives via email to dupe corporate workers into divulging passwords or other network application details—and employees continue to be vulnerable to these scams. In its latest annual Data Breach Investigations Report, for example, Verizon found that more than two-thirds of espionage-related breaches started with a phishing email. Anti-spam products and services do not catch every phishing attack, so many companies have turned to user education in an attempt to make workers less likely to click on dodgy email messages. If the impact of phishing consists of constant nuisance attacks, rather than a serious breach, such training can pay significant dividends, according to a survey released on Aug. 26 by the Ponemon Institute. The survey research firm polled 377 information-security and technology practitioners to find that the average company can save nearly $190 per employee, according to the analysis, which was funded by Wombat Security, a security-training firm.
"Every single phishing email that a person falls for ends up being a cost to the organization to go out and clean up the machine," said Joe Ferrara, CEO of Wombat Security. The cost involves downtime for the employees whose machine is affected as well as additional work for the help desk, Ferrara notes.